Re: xAP Intranet Behind a Reverse Proxy...

[James <james@xxxxxxx>]

Hi,
Thanks for all the info.Couple of questions though:
_" #xAP Intranet App refresh fix? since xAP applications refresh to
# /index.xsp, and do so with a window.location javascript command
# (which unfortunately doesn't send a referrer value, so it's impossible
# to tell which Intranet App is refreshing.) "


Do you know of a similar javscript function that would help out here?

__ #Background images in tables, and style sheet URLS, can't be proxied
# correctly. We need to rewrite those URLs?

Is this because of how the Intranet sites display the graphics or a
limitation in the apache module?


__Also do you mind if I copy this how-to in to the mi4 guides section?

Many thanks

James

_Sullivan, Glenn wrote:
>
> Here we go... I got it all working, on a windows box. I'm going to
> write this as if you are starting from scratch... I was.
>
> What I wanted was two sites: One for public content, and one that was
> secure. And "subdirectories" on the secure site proxying to
my TiVo,
> etc...
>
> First, stop IIS by stopping the IISAdmin Service. If you're savvy
> enough, you can just change the ports it runs on, and then proxy to
> that server too, but for now, get it out of the way.
>
> I started with out Apache 2, but couldn't find a binary compile of the
> mod_proxy_html module, which I needed to make this work. So I switched
> to Apache 2.2...
>
>     * Download and extract the Binary Build of Apache 2.2 from
>       apachelounge.com. You'll need to register with the site to get
>       it, but it's free.
>       I chose to extract to c:\Program Files\Apache Group\Apache2,
>       since that's where Apache 2 (I renamed the old directory first?)
>       was installed. We'll call this "SERVERROOT
>       _http://www.apachelounge.com/download/_
>     * _Download The Binary Build of mod_proxy_html from the same
site._
>     * _Create the folder SERVERROOT\modules\mod_proxy_html and extract
>       three file from the mod_proxy_html package into it:_
>           o _mod_proxy_html.so_
>           o _Microsoft.VC80.CRT.manifest_
>           o _msvcr80.dll_
>     * _Go to: _
>       _http://www.zlatkovic.com/pub/libxml/__
and download:_
>           o _libxml2-2.6.23+.win32.zip
>             Extract libxml2.dll from the bin directory in the zip file
>             to SERVERROOT\bin_
>           o _iconv-1.9.1.win32.zip
>             Extract iconv.dll from the bin directory in the zip file
>             to SERVERROOT\bin_
>           o _zlib-1.2.3.win32.zip
>             Extract zlib1.dll and minigzip.exe from the bin directory
>             in the zip file to SERVERROOT\bin_
>     * _Create 3 locations to hold the Local web files? i.e., not the
>       proxied stuff, but the actual sites.
>       Base Site - We won't be using this, except to trap errors in our
>       virtual hosts. I used c:\INetPub\Apache Root\BaseSite
>       Public site - This is the publicly accessible site. I chose
>       c:\INetPub\Apache Root\Public
>       Secure Site - Here is your secure site. I used C:\INetPub\Apache
>       Root\Secure_
>     * _Create a "html" directory under each web sites
directory. This
>       will hold the local site. Put a basic HTML file into each html
>       directory, named index.html, that make it easy to see which one
>       you've hit. I used something simple, replacing the work
"Base"
>       with "Public" and "Secure" as appropriate...
>       <HTML>
>       <BODY>
>       Base Index
>       </BODY>
>       </HTML>_
>     * _(Optional) if you think you might want to run scripts on either
>       site (again, not proxied, but locally), either create one
>       central cgi-bin directory, or one for each site. If you don't
>       know what I'm talking about, "fahghet about it?"_
>     * _Open up SERVERROOT\conf\httd.conf_
>           o _Change "ServerRoot" to reflect the path you
chose to
>             install Apache to, using Unix Style path notation. Here is
>             mine:
>             ServerRoot "C:/Program Files/Apache
Group/Apache2"_
>           o _Change the ServerAdmin line to a real email address, to
>             meet the RFCs_
>           o _Leave ServerName set to localhost:80. We are going to use
>             Name Based Virtual Hosts, so we don't care about the
>             "base" name or address._
>           o _Change DocumentRoot to point to the html directory under
>             your base site directory. Again, not to be used normally,
>             but if you see the pages in this folder, you know
>             something is set up wrong. I used:
>             DocumentRoot "c:/INetPub/Apache
Root/BaseSite/html"_
>           o _Look for this line, just a few lines below DocumentRoot:
>             # This should be changed to whatever you set DocumentRoot
to.
>             Change the "<Document" line that follows it
to reflect
>             your DocumentRoot above._
>           o _Find a remove the pound sign from the beginning of this
>             line, almost at the end of the file:
>             #Include conf/extra/httpd-vhosts.conf_
>           o _Find the section of modules, close to the top of the
>             file. Uncomment the following list of Modules_
>                 + _LoadModule headers_module modules/mod_headers.so_
>                 + _LoadModule proxy_module modules/mod_proxy.so_
>                 + _LoadModule proxy_http_module
modules/mod_proxy_http.so_
>                 + _LoadModule rewrite_module modules/mod_rewrite.so_
>           o _Add the following module definition at the bottom of the
>             list of modules:
>             LoadModule proxy_html_module
>             modules/mod_proxy_html/mod_proxy_html.so_
>           o _Close and Save the httpd.conf file_
>     * _Open up SERVERROOT\conf\extra\httpd-vhosts.conf_
>           o _Comment out the virtual hosts that are there by default?
>             put a pound sign as the first character in each line._
>           o _Create just the public site for now? add this code:
>             <VirtualHost *:80>
>             #Document Root should point to your public html directory
>             that you create above?
>             DocumentRoot "C:/Inetpub/Apache
Root/public/html"
>             #ServerName should be the DNS name of the public site.
>             ServerName _
>             _www.sitename.com_ <file://www.sitename.com>_
>             #(Optional) remove this line if you don't need scripts? I
do.
>             ScriptAlias cgi-bin "C:/Inetpub/Apache
Root/public/cgi-bin"
>           o </VirtualHost>_ _Close and Save the
httpd-vhosts.conf file._
>     * _Open a command prompt, and navigate to SERVERROOt\bin._
>     * _At the command prompt, type "httpd -S" to verify the
config
>       files. Assuming that you get no error messages..._
>     * _At the command prompt, type "httpd" to start up
apache._
>     * _If you do not have access to your own DNS servers, or if the
>       public name that you used above does not route to the IP address
>       of the machine that you are working on, you will have to modify
>       your hosts file so that _
>       _www.sitename.com_ <file://www.sitename.com>_ will resolve
to
>       your IP address. This is a great test, and necessary, because if
>       we try to browse via IP address, our name base virtual host
>       won't work..._
>           o _Open up %systemroot%\system32\drivers\etc\hosts in a text
>             editor_
>           o _Add the following lines, replacing the dummy IP address
>             below with the IP address of the machine apache is
>             installed on.
>             123.456.789.123 _
>             _www.sitename.com_ <file://www.sitename.com>_
>           o 123.456.789.123 secure.sitename.com_ _Save the file._
>     * _Fire up a web browser, and navigate to _
>       *MailScanner warning: numerical links are often malicious:*
>       _http://123.456.789.123__ (use your own
IP) and you should see
>     * your base page._ _Fire up a web browser, and navigate to _
>       _http://www.sitename.com__ (use your
own name) and you should
>     * see your public page._ _Assuming that all worked, hit ctrl-c in
>       the command prompt window to stop the apache server._
>     * _Next, we create the password file for the secure site?_
>           o _Assuming that you still have the command prompt open, in
>             the apache bin directory, execute the following command,
>             replacing "username" with the username that you
want to be
>             valid at the secure site:
>             htpasswd -c .htpasswd username_
>           o _Provide a password when prompted._
>           o _Move .htpasswd from the bin directory to the directory
>             that you chose for your secure site. Don't put it into the
>             HTML directory, but in the root of the secure directory._
>     * _Open back up the SERVERROOT\conf\extra\httpd-vhosts.conf file._
>     * _Below the public site, we'll create the secure virtual host.
>       Here is mine, with comments explaining what each thing does:
>       <VirtualHost *:80>
>       DocumentRoot "C:/Inetpub/Apache Root/Secure/html"
>       ServerName secure.sitename.com
>       #(Optional) for scripts...
>       ScriptAlias cgi-bin "C:/Inetpub/Apache
Root/Secure/cgi-bin"
>
>       #Set Up Directory Security
>       <Directory />
>       AuthName "only for registered users"
>       AuthType Basic
>       AuthUserFile "C:/Inetpub/Apache Root/Secure/.htpasswd"
>       <Limit GET>
>       require valid-user
>       </Limit>
>       </Directory>
>
>       #Turn on the ReWrite Engine, to help with redirections that
>       proxy doesn't catch
>       RewriteEngine on
>       RewriteLog "c:/INetPub/Apache Root/Rewrite.log"
>       #While debugging, set the LogLevel high. But NOT IN PRODUCTION!!
>       RewriteLogLevel 9
>
>       #Convert all URL's to Lower Case
>       Rewritemap lowercase int:tolower
>       RewriteCond $1 [A-Z]
>       RewriteRule ^/(.*)$ /${lowercase:$1} [R=301,L]
>
>       #xAP Intranet App refresh fix? since xAP applications refresh to
>       # /index.xsp, and do so with a window.location javascript
command
>       # (which unfortunately doesn't send a referrer value, so it's
>       impossible
>       # to tell which Intranet App is refreshing.) You must choose
>       one, and
>       # all of them will refresh to that page. I don't see another
option.
>       #
>       # Set the RewriteRule to the page that you want
>       RewriteCond %{REQUEST_URI} ^/index.xsp$
>       RewriteRule / /switchboard/index.xsp [R=301,L]
>
>       #Background images in tables, and style sheet URLS, can't be
proxied
>       # correctly. We need to rewrite those URLs?
>       #
>       # xAP Switchboard background fix
>       RewriteCond %{HTTP_REFERER} switchboard
>       RewriteCond %{REQUEST_URI} ^/images/(.*)
>       RewriteRule ^/images/(.*) /switchboard/images/$1 [R=301,L]
>
>       #xAP News background fix
>       RewriteCond %{HTTP_REFERER} news
>       RewriteCond %{REQUEST_URI} ^/images/(.*)
>       RewriteRule ^/images/(.*) /news/images/$1 [R=301,L]
>
>       #Turn Off "Forward" proxying? we want to reverse
proxy, not be a
>       bounce
>       # off site for hackers and spammers...
>       ProxyRequests off
>
>       #Proxy to the TiVo
>       # This is easy, because TivoWeb provides a setting which tacks a
>       directory to
>       # the front of each URL automatically? Change the IP as
necessary...
>       ProxyPass /tivo _
>       *MailScanner warning: numerical links are often malicious:*
>       _http://192.168.64.251__
>       <Location /tivo/>
>       ProxyPassReverse /
>       </Location>
>
>       #Proxy to Switchboard
>       ProxyPass /switchboard _*MailScanner warning: numerical links
>       are often malicious:* _http://192.168.64.2:52340__
>       #Remap all URLs from the IP:PORT of switchboard to /switchboard
>       # This takes care of ABSOLUTE URLs.
>       ProxyHTMLURLMap _*MailScanner warning: numerical links are often
>       malicious:* _http://192.168.64.2:52340__
/switchboard
>       <Location /switchboard>
>       # ProxyPassReverse takes care of meta-tags. Switchboard doesn't
>       have them,
>       # but it is bad form to not include them...
>       ProxyPassReverse /
>       # Turn on the URLMap Filters, to re-write URLs
>       SetOutputFilter proxy-html
>       # Links to deletelog.gif start with 'web/' instead of '/web/'
>       # This rule catches and re-writes them
>       ProxyHTMLURLMap web /switchboard/web
>       # This rule is to catch everything else
>       ProxyHTMLURLMap / /switchboard/
>       # and This Rule is to stop us from recursively re-writing the
>       links multiple times
>       ProxyHTMLURLMap /switchboard /switchboard
>       #Disable compressed HTML
>       RequestHeader unset Accept-Encoding
>       </Location>
>
>       #Proxy to news
>       ProxyPass /news _*MailScanner warning: numerical links are often
>       malicious:* _http://192.168.64.2:54000__
>       #Remap all URLs from the IP:PORT of switchboard to /news
>       # This takes care of ABSOLUTE URLs.
>       ProxyHTMLURLMap _*MailScanner warning: numerical links are often
>       malicious:* _http://192.168.64.2:54000__ /news
>       <Location /news>
>       # ProxyPassReverse takes care of meta-tags. Switchboard doesn't
>       have them,
>       # but it is bad form to not include them...
>       ProxyPassReverse /
>       # Turn on the URLMap Filters, to re-write URLs
>       SetOutputFilter proxy-html
>       # Not sure if anything else doesn't have the leading slash.
>       # This rule catches and re-writes them
>       ProxyHTMLURLMap web /news/web
>       # This rule is to catch everything else
>       ProxyHTMLURLMap / /news/
>       # and This Rule is to stop us from recursively re-writing the
>       links multiple times
>       ProxyHTMLURLMap /news /news
>       #Disable compressed HTML
>       RequestHeader unset Accept-Encoding
>       </Location>
>
>     * </VirtualHost>_ _Once again, run "httpd -S" to
verify that
>       you've got it right._
>     * _Assuming so, run httpd with no switches, to start the server_
>     * _Navigate to _
>     * _http://secure.sitename.com/tivo__
for the tivo_ _Navigate to _
>     * _http://secure.sitename.com/switchboard__
for switchboard_
>       _Navigate to _
>     * _http://secure.sitename.com/news__
for the news_ _To install
>       httd as a service, run "httpd -k install" and it will
create a
>       Windows Service to run under._
>       _
>       _
>
> _I hope this helps? sorry for the long winded description, but I know
> I'll be glad it's here in 5 years when my existing server goes t!ts up
> and I have to start over..._
>
> _Glenn Sullivan, MCSE+I MCDBA_ _
> David Clark Company Inc.
> -----Original Message-----
> From: xap_automation@xxxxxxx
> [__mailto:xap_automation@xxxxxxx__]
On Behalf Of James_ _
> Sent: Wednesday, April 12, 2006 3:34 PM
> To: xap_automation@xxxxxxx
> Subject: Re: [xap_automation] xAP Intranet Behind a Reverse Proxy... _
>
> _Hi,_
>
> _Have to say i've never tried this with an inrtanet app. I do remember
> once trying an apache reverse proxy and i'm sure i just used the usual
> mod_proxy but i do remember having to set ProxyPass and
> ProxyPassReverse for it to work right._
>
> _Currently the web ports are preset and not changable but i'll add a
> config option for it. I might well also allow it to just use random
> port if it can't bind as all the intranet apps will re-link to
> whatever the port ( although if setting up a reverse proxy that won't
> be useful at all)_
>
> _I'll be very interested to know how you get on_
>
> _James_
>
> _Sullivan, Glenn wrote:_ _
> > I figured out what I believe will be a solution... Apache has a
module
> > called MOD_PROXY_HTML which can rewrite a page's hyperlinks so
that
> > they resolve correctly.
> >
> > I'm downloading the source now... I'll report how I get on.
> >
> > How does an Intranet App pick it's web port? I may have to write
a
> > xAP module for apache to change them dynamically...
> >
> >
> > Glenn Sullivan, MCSE+I MCDBA
> > David Clark Company Inc.
> > -----Original Message-----
> > From: xap_automation@xxxxxxx
> > [__mailto:xap_automation@xxxxxxx__]
On Behalf Of Sullivan,
> Glenn_ _
> > Sent: Monday, April 10, 2006 9:09 AM
> > To: xap_automation@xxxxxxx
> > Subject: [xap_automation] xAP Intranet Behind a Reverse Proxy...
> >
> > Is there any facility for setting the BASEREF of xAP Intranet
pages?
> >
> > I have recently set up an Apache Server to reverse proxy all of
my
> > internal services out to the real world. I have tried to proxy
> > through the Switchboard page, but all of the URL's are absolute,
and
> > not relative.
> >
> > I get the HTML of the page, but all of the links and images are
> > broken...
> >
> > If not, I can set up another virtual site, and link to it. I was
just
> > trying to make it as simple as possible, like TivoWeb is...
> >
> > TIA,
> >
> > Glenn Sullivan, MCSE+I MCDBA
> > David Clark Company Inc.
> >
> >
> >
> > Yahoo! Groups Links
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Yahoo! Groups Links
> >
> >
> >
> >
> >
> >
> >
> > _
>
> _
>
> _
>
> _ _ _
> Yahoo! Groups Links _
>
>
>
> _
>
> _
> _ _
> _
> _ _
>
------------------------------------------------------------------------
> _ YAHOO! GROUPS LINKS _
> _
> _
>
>     * _ Visit your group "xap_automation
>       <http://groups.yahoo.com/group/xap_automation>"
on the web.
>     * To unsubscribe from this group, send an email to:
>       xap_automation-unsubscribe@xxxxxxx
>       <mailto:xap_automation-unsubscribe@xxxxxxx?subject=Unsubscribe>
>     * Your use of Yahoo! Groups is subject to the Yahoo! Terms of
>       Service <http://docs.yahoo.com/info/terms/>.
>       _
>
> _
> _
> _ _
>
------------------------------------------------------------------------
> _
> _